Accepting request 1244271 from devel:languages:python:Factory

- Add CVE-2025-0938-sq-brackets-domain-names.patch which disallows square brackets ([ and ]) in domain names for parsed URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704) - Add 314a4-no-SO_REUSEPORT.patch to fix build on new kernel (gh#python/cpython#128916). - Configure externally_managed with a bcond https://en.opensuse.org/openSUSE:Python:Externally_managed bsc#1228165 - Update to the fourth development version of 3.14.0: - Tools/Demos - gh-128152: Fix a bug where Argument Clinic’s C pre-processor parser tried to parse pre-processor directives inside C comments. Patch by Erlend Aasland. - Tests - gh-128690: Temporarily do not use test_embed in PGO profile builds until the problem with test_init_pyvenv_cfg failing in some configurations is resolved. - Library - gh-128731: Fix ResourceWarning in urllib.robotparser.RobotFileParser.read(). - gh-71339: Add new assertion methods for unittest: assertHasAttr(), assertNotHasAttr(), assertIsSubclass(), assertNotIsSubclass() assertStartsWith(), assertNotStartsWith(), assertEndsWith() and assertNotEndsWith(). - gh-118761: Improve import time of pickle by 25% by removing an unnecessary regular expression. As such, re is no more implicitly available as pickle.re. Patch by Bénédikt Tran. - gh-128661: Fixes typing.evaluate_forward_ref() not showing deprecation when type_params arg is not passed. - gh-128562: Fix possible conflicts in generated tkinter widget names if the widget class name ends with a digit. - gh-128559: Improved import time of asyncio. - gh-128552: Fix cyclic garbage introduced by asyncio.loop.create_task() and asyncio.TaskGroup.create_task() holding a reference to the created task if it is eager. - gh-128340: Add internal thread safe handle to be used in asyncio.loop.call_soon_threadsafe() for thread safe cancellation. - gh-128182: Fix crash when using ctypes pointers concurrently on the free threaded build. - gh-128400: Only show the current thread in faulthandler on the free threaded build to prevent races. - gh-128400: Fix crash when using faulthandler.dump_traceback() while other threads are active on the free threaded build. - gh-128388: Fix PyREPL on Windows to support more keybindings, like the Control-← and Control-→ word-skipping keybindings and those with meta (i.e. Alt), e.g. Alt-d to kill-word or Alt-Backspace backward-kill-word. - gh-88834: Unify the instance check for typing.Union and types.UnionType: Union now uses the instance checks against its parameters instead of the subclass checks. - gh-128302: Fix xml.dom.xmlbuilder.DOMEntityResolver.resolveEntity(), which was broken by the Python 3.0 transition. - gh-128317: Highlight today in colour in calendar’s CLI output. Patch by Hugo van Kemenade. - gh-128302: Allow xml.dom.xmlbuilder.DOMParser.parse() to correctly handle xml.dom.xmlbuilder.DOMInputSource instances that only have a systemId attribute set. - gh-128151: Improve generation of UUID objects version 3, 4, 5, and 8 via their dedicated functions by 30%. Patch by Bénédikt Tran. - gh-128118: Improve performance of copy.copy() by 30% via a fast path for atomic types and container types. - gh-127946: Fix crash when modifying ctypes._CFuncPtr objects concurrently on the free threaded build. - gh-128062: Revert the font of turtledemo’s menu bar to its default value and display the shortcut keys in the correct position. - gh-128014: Fix resetting the default window icon by passing default='' to the tkinter method wm_iconbitmap(). - gh-41872: Fix quick extraction of module docstrings from a file in pydoc. It now supports docstrings with single quotes, escape sequences, raw string literals, and other Python syntax. - gh-127060: Set TERM environment variable to “dumb” to disable traceback colors in IDLE, since IDLE doesn’t understand ANSI escape sequences. Patch by Victor Stinner. - gh-126742: Fix support of localized error messages reported by dlerror(3) and gdbm_strerror in ctypes and dbm.gnu functions respectively. Patch by Bénédikt Tran. - gh-122548: Adds two new local events to sys.monitoring, BRANCH_LEFT and BRANCH_RIGHT. This allows the two arms of the branch to be disabled independently, which should hugely improve performance of branch-level coverage tools. The old branch event, BRANCH is now deprecated. - gh-127847: Fix the position when doing interleaved seeks and reads in uncompressed, unencrypted zip files returned by zipfile.ZipFile.open(). - gh-127688: Add the SCHED_DEADLINE and SCHED_NORMAL constants to the os module. - gh-83662: Add missing __class_getitem__ method to the Python implementation of functools.partial(), to make it compatible with the C version. This is mainly relevant for alternative Python implementations like PyPy and GraalPy, because CPython will usually use the C-implementation of that function. - gh-127586: multiprocessing.pool.Pool now properly restores blocked signal handlers of the parent thread when creating processes via either spawn or forkserver. - gh-98188: Fix an issue in email.message.Message.get_payload() where data cannot be decoded if the Content Transfer Encoding mechanism contains trailing whitespaces or additional junk text. Patch by Hui Liu. - gh-127529: Correct behavior of asyncio.selector_events.BaseSelectorEventLoop._accept_connection() in handling ConnectionAbortedError in a loop. This improves performance on OpenBSD. - gh-127360: When a descriptive error message cannot be provided for an ssl.SSLError, the “unknown error” message now shows the internal error code (as retrieved by ERR_get_error and similar OpenSSL functions). - gh-127196: Fix crash when dict with keys in invalid encoding were passed to several functions in _interpreters module. - gh-124130: Fix a bug in matching regular expression \B in empty input string. Now it is always the opposite of \b. To get an old behavior, use (?!\A\Z)\B. To get a new behavior in old Python versions, use (?!\b). - gh-126639: tempfile.NamedTemporaryFile will now issue a ResourceWarning when it is finalized by the garbage collector without being explicitly closed. - gh-126624: Expose error code XML_ERROR_NOT_STARTED of Expat >=2.6.4 in xml.parsers.expat.errors. - gh-126225: getopt and optparse are no longer marked as deprecated. There are legitimate reasons to use one of these modules in preference to argparse, and none of these modules are at risk of being removed from the standard library. Of the three, argparse remains the recommended default choice, unless one of the concerns noted at the top of the optparse module documentation applies. - gh-124761: Add SO_REUSEPORT_LB constant to socket for FreeBSD. - gh-121720: enum.EnumDict can now be used without resorting to private API. - gh-123424: Add zipfile.ZipInfo._for_archive() setting default properties on ZipInfo objects. Patch by Bénédikt Tran and Jason R. Coombs. - gh-121676: Deprecate calling the Python implementation of functools.reduce() with a function or sequence as a keyword argument. This will be forbidden in Python 3.16 in order to match the C implementation. - gh-112015: ctypes.memoryview_at() now exists to create a memoryview object that refers to the supplied pointer and length. This works like ctypes.string_at() except it avoids a buffer copy, and is typically useful when implementing pure Python callback functions that are passed dynamically-sized buffers. - gh-95371: Added support for other image formats (PNG, PGM, and PPM) to the turtle module. Patch by Shin-myoung-serp. - Core and Builtins - gh-128078: Fix a SystemError when using anext() with a default tuple value. Patch by Bénédikt Tran. - gh-128717: Fix a crash when setting the recursion limit while other threads are active on the free threaded build. - gh-124483: Treat Py_DECREF and variants as escaping when generating opcode and uop metadata. This prevents the possibility of a __del__ method causing the JIT to behave incorrectly. - gh-126703: Improve performance of class methods by using a freelist. - gh-128137: Update PyASCIIObject layout to handle interned field with the atomic operation. Patch by Donghee Na. - gh-128192: Upgrade HTTP digest authentication algorithm for urllib.request by supporting SHA-256 digest authentication as specified in RFC 7616. - gh-126868: Increase usage of freelist for int allocation. - gh-114203: Optimize Py_BEGIN_CRITICAL_SECTION for simple recursive calls. - gh-127705: Adds stackref debugging when Py_STACKREF_DEBUG Inis set. Finds all double-closes and leaks, logging the Inorigin and last borrow. spired by HPy’s debug mode. Inhttps://docs.hpyproject.org/en/latest/debug-mode.html - gh-128079: Fix a bug where except* does not properly check the return value of an ExceptionGroup’s split() function, leading to a crash in some cases. Now when split() returns an invalid object, except* raises a TypeError with the original raised ExceptionGroup object chained to it. - gh-128030: Avoid error from calling PyModule_GetFilenameObject on a non-module object when importing a non-existent symbol from a non-module object. - gh-128035: Indicate through ssl.HAS_PHA whether the ssl module supports TLSv1.3 post-handshake client authentication (PHA). Patch by Will Childs-Klein. - gh-127274: Add a new flag, CO_METHOD, to co_flags that indicates whether the code object belongs to a function defined in class scope. - gh-66409: During the path initialization, we now check if base_exec_prefix is the same as base_prefix before falling back to searching the Python interpreter directory. - gh-127970: We now use the location of the libpython runtime library used in the current proccess to determine sys.base_prefix on all platforms implementing the dladdr function defined by the UNIX standard — this includes Linux, Android, macOS, iOS, FreeBSD, etc. This was already the case on Windows and macOS Framework builds. - gh-127773: Do not use the type attribute cache for types with incompatible MRO. - gh-127903: Objects/unicodeobject.c: fix a crash on DEBUG builds in _copy_characters when there is nothing to copy. - gh-127809: Fix an issue where the experimental JIT may infer an incorrect result type for exponentiation (** and **=), leading to bugs or crashes. - gh-126862: Fix a possible overflow when a class inherits from an absurd number of super-classes. Reported by Valery Fedorenko. Patch by Bénédikt Tran. - C API - gh-128400: Py_FatalError() no longer shows all threads on the free threaded build to prevent crashes. - gh-128629: Add macros Py_PACK_VERSION() and Py_PACK_FULL_VERSION() for bit-packing Python version numbers. - gh-128008: Add PyWeakref_IsDead() function, which tests if a weak reference is dead. - gh-127350: Add Py_fopen() function to open a file. Similar to the fopen() function, but the path parameter is a Python object and an exception is set on error. Add also Py_fclose() function to close a file, function needed for Windows support. Patch by Victor Stinner. - Build - gh-128627: For Emscripten builds the function pointer cast call trampoline now uses the wasm-gc ref.test instruction if it’s available instead of Wasm JS type reflection. - gh-128472: Skip BOLT optimization of functions using computed gotos, fixing errors on build with LLVM 19. - gh-115765: GNU Autoconf 2.72 is now required to generate !configure. Patch by Erlend Aasland. - gh-123925: Fix building the curses module on platforms with libncurses but without libncursesw. - gh-90905: Add support for cross-compiling to x86_64 on aarch64/arm64 macOS. - gh-128321: Set LIBS instead of LDFLAGS when checking if sqlite3 library functions are available. This fixes the ordering of linked libraries during checks, which was incorrect when using a statically linked libsqlite3. - gh-100384: Error on unguarded-availability in macOS builds, preventing invalid use of symbols that are not available in older versions of the OS. - gh-128104: Remove Py_STRFTIME_C99_SUPPORT conditions in favor of requiring C99 strftime(3) specifier support at build time. When cross-compiling, there is no build time check and support is assumed. - gh-127951: Add option --pystats to the Windows build to enable performance statistics collection. OBS-URL: https://build.opensuse.org/request/show/1244271 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python314?expand=0&rev=5
2025-02-09 19:01:38 +00:00
parent 1f2a8a5568 b3baeedca9
commit 8659ae7c2d
8 changed files with 488 additions and 9 deletions
--- a/314a4-no-SO_REUSEPORT.patch
+++ b/314a4-no-SO_REUSEPORT.patch
@@ -0,0 +1,94 @@
+From 1afcfaa5ce01cd949e570bc9035b3a7b6ccdd2be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
+Date: Fri, 17 Jan 2025 11:46:19 +0100
+Subject: [PATCH 1/2] gh-128916: Do not set `SO_REUSEPORT` on non-`AF_INET*`
+ sockets
+
+Do not attempt to set ``SO_REUSEPORT`` on sockets of address familifies other
+than ``AF_INET`` and ``AF_INET6``, as it is meaningless with these address
+families, and the call with fail with Linux kernel 6.12.9 and newer.
+---
+ Lib/asyncio/base_events.py                                 | 4 +++-
+ Lib/socket.py                                              | 4 +++-
+ Lib/socketserver.py                                        | 7 ++++++-
+ .../Library/2025-01-17-11-46-16.gh-issue-128916.GEePbO.rst | 3 +++
+ 4 files changed, 15 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2025-01-17-11-46-16.gh-issue-128916.GEePbO.rst
+
+diff --git a/Lib/asyncio/base_events.py b/Lib/asyncio/base_events.py
+index 6e6e5aaac15caf..85018797db33bb 100644
+--- a/Lib/asyncio/base_events.py
+++ b/Lib/asyncio/base_events.py
+@@ -1593,7 +1593,9 @@ async def create_server(
+                     if reuse_address:
+                         sock.setsockopt(
+                             socket.SOL_SOCKET, socket.SO_REUSEADDR, True)
+-                    if reuse_port:
+                    # Since Linux 6.12.9, SO_REUSEPORT is not allowed
+                    # on other address families than AF_INET/AF_INET6.
+                    if reuse_port and af in (socket.AF_INET, socket.AF_INET6):
+                         _set_reuseport(sock)
+                     if keep_alive:
+                         sock.setsockopt(
+diff --git a/Lib/socket.py b/Lib/socket.py
+index be37c24d6174a2..727b0e75f03595 100644
+--- a/Lib/socket.py
+++ b/Lib/socket.py
+@@ -937,7 +937,9 @@ def create_server(address, *, family=AF_INET, backlog=None, reuse_port=False,
+                 # Fail later on bind(), for platforms which may not
+                 # support this option.
+                 pass
+-        if reuse_port:
+        # Since Linux 6.12.9, SO_REUSEPORT is not allowed
+        # on other address families than AF_INET/AF_INET6.
+        if reuse_port and family in (AF_INET, AF_INET6):
+             sock.setsockopt(SOL_SOCKET, SO_REUSEPORT, 1)
+         if has_ipv6 and family == AF_INET6:
+             if dualstack_ipv6:
+diff --git a/Lib/socketserver.py b/Lib/socketserver.py
+index cd028ef1c63b85..35b2723de3babe 100644
+--- a/Lib/socketserver.py
+++ b/Lib/socketserver.py
+@@ -468,7 +468,12 @@ def server_bind(self):
+         """
+         if self.allow_reuse_address and hasattr(socket, "SO_REUSEADDR"):
+             self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+-        if self.allow_reuse_port and hasattr(socket, "SO_REUSEPORT"):
+        # Since Linux 6.12.9, SO_REUSEPORT is not allowed
+        # on other address families than AF_INET/AF_INET6.
+        if (
+            self.allow_reuse_port and hasattr(socket, "SO_REUSEPORT")
+            and self.address_family in (socket.AF_INET, socket.AF_INET6)
+        ):
+             self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
+         self.socket.bind(self.server_address)
+         self.server_address = self.socket.getsockname()
+diff --git a/Misc/NEWS.d/next/Library/2025-01-17-11-46-16.gh-issue-128916.GEePbO.rst b/Misc/NEWS.d/next/Library/2025-01-17-11-46-16.gh-issue-128916.GEePbO.rst
+new file mode 100644
+index 00000000000000..5d13825fb2b6ab
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2025-01-17-11-46-16.gh-issue-128916.GEePbO.rst
+@@ -0,0 +1,3 @@
+Do not attempt to set ``SO_REUSEPORT`` on sockets of address familifies
+other than ``AF_INET`` and ``AF_INET6``, as it is meaningless with these
+address families, and the call with fail with Linux kernel 6.12.9 and newer.
+
+From 8f8f0d67742ce151ea9b104ad0396660e2660b09 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
+Date: Fri, 17 Jan 2025 11:57:41 +0000
+Subject: [PATCH 2/2] Apply suggestions from code review
+
+Co-authored-by: Vinay Sajip <vinay_sajip@yahoo.co.uk>
+---
+ .../next/Library/2025-01-17-11-46-16.gh-issue-128916.GEePbO.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Misc/NEWS.d/next/Library/2025-01-17-11-46-16.gh-issue-128916.GEePbO.rst b/Misc/NEWS.d/next/Library/2025-01-17-11-46-16.gh-issue-128916.GEePbO.rst
+index 5d13825fb2b6ab..f2db341ef81621 100644
+--- a/Misc/NEWS.d/next/Library/2025-01-17-11-46-16.gh-issue-128916.GEePbO.rst
+++ b/Misc/NEWS.d/next/Library/2025-01-17-11-46-16.gh-issue-128916.GEePbO.rst
+@@ -1,3 +1,3 @@
+-Do not attempt to set ``SO_REUSEPORT`` on sockets of address familifies
+Do not attempt to set ``SO_REUSEPORT`` on sockets of address families
+ other than ``AF_INET`` and ``AF_INET6``, as it is meaningless with these
+ address families, and the call with fail with Linux kernel 6.12.9 and newer.
--- a/CVE-2025-0938-sq-brackets-domain-names.patch
+++ b/CVE-2025-0938-sq-brackets-domain-names.patch
@@ -0,0 +1,111 @@
+From 6204ab9f989be3841c8c47e1e2cfe6a658fe16d5 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Tue, 28 Jan 2025 14:09:00 -0600
+Subject: [PATCH 1/4] gh-105704: Disallow square brackets ( and ) in domain
+ names for parsed URLs
+
+---
+ Lib/test/test_urlparse.py                                                |   37 +++++++++-
+ Lib/urllib/parse.py                                                      |   20 ++++-
+ Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst |    4 +
+ 3 files changed, 58 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
+
+--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
+@@ -1412,16 +1412,51 @@ class UrlParseTestCase(unittest.TestCase
+         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
+         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
+         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip')
+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix')
+ 
+     def test_splitting_bracketed_hosts(self):
+-        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
+        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query')
+         self.assertEqual(p1.hostname, 'v6a.ip')
+         self.assertEqual(p1.username, 'user')
+         self.assertEqual(p1.path, '/path')
+        self.assertEqual(p1.port, 1234)
+         p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
+         self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
+         self.assertEqual(p2.username, 'user')
+         self.assertEqual(p2.path, '/path')
+        self.assertIs(p2.port, None)
+         p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
+         self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test')
+         self.assertEqual(p3.username, 'user')
+--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
+@@ -439,6 +439,23 @@ def _checknetloc(netloc):
+             raise ValueError("netloc '" + netloc + "' contains invalid " +
+                              "characters under NFKC normalization")
+ 
+def _check_bracketed_netloc(netloc):
+    # Note that this function must mirror the splitting
+    # done in NetlocResultMixins._hostinfo().
+    hostname_and_port = netloc.rpartition('@')[2]
+    before_bracket, have_open_br, bracketed = hostname_and_port.partition('[')
+    if have_open_br:
+        # No data is allowed before a bracket.
+        if before_bracket:
+            raise ValueError("Invalid IPv6 URL")
+        hostname, _, port = bracketed.partition(']')
+        # No data is allowed after the bracket but before the port delimiter.
+        if port and not port.startswith(":"):
+            raise ValueError("Invalid IPv6 URL")
+    else:
+        hostname, _, port = hostname_and_port.partition(':')
+    _check_bracketed_host(hostname)
+
+ # Valid bracketed hosts are defined in
+ # https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
+ def _check_bracketed_host(hostname):
+@@ -505,8 +522,7 @@ def _urlsplit(url, scheme=None, allow_fr
+                 (']' in netloc and '[' not in netloc)):
+             raise ValueError("Invalid IPv6 URL")
+         if '[' in netloc and ']' in netloc:
+-            bracketed_host = netloc.partition('[')[2].partition(']')[0]
+-            _check_bracketed_host(bracketed_host)
+            _check_bracketed_netloc(netloc)
+     if allow_fragments and '#' in url:
+         url, fragment = url.split('#', 1)
+     if '?' in url:
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
+@@ -0,0 +1,4 @@
+When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host
+parsing would not reject domain names containing square brackets (``[`` and
+``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to
+`RFC 3986 Section 3.2.2 <https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__.
--- a/Python-3.14.0a3.tar.xz
+++ b/Python-3.14.0a3.tar.xz
--- a/Python-3.14.0a3.tar.xz.sigstore
+++ b/Python-3.14.0a3.tar.xz.sigstore
@@ -1 +0,0 @@
-{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlWgAwIBAgIUDuq8kxtpL3by1SpAOIOeKKlsrjYwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQxMjE3MTYwNzI2WhcNMjQxMjE3MTYxNzI2WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbmMPLFZSDjmfOKJGlOu6KqXbfARpxcurVugL1gOpPciVb/cVrPk9lP7V6B8zpnMK5ax2CbG3otAfweTtDWrnjqOCAXQwggFwMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUDct7Hl3MxAxfP1dhgpDF6PSlUuMwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABk9Vfz7QAAAQDAEgwRgIhALGA/GkNojAPK5EODrVG03RxOEr/0bFyv5wxxxx9otO0AiEAt8SElgsdc7QW/vevYc0lQ6aA1BmxAsjG6O333PTx2hwwCgYIKoZIzj0EAwMDZwAwZAIwd8VqF3+Jxkb1Un90vEsxZAHErNq4ed7BStBPTL+z9ngwBpNcR2NySohOZxgBZuP0AjA5hXuw9WbV15D9do4x4gSiOpCe5AMpgoU/ld0YZfbwN0v/h2rIF64Cp2J04V1RYkw="}, "tlogEntries": [{"logIndex": "156043087", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1734451646", "inclusionPromise": {"signedEntryTimestamp": "MEUCIQD1bn+1BlbnvdMGTX8cRvOVMdhE9Imcz9FMgKSDo4q3yAIgJT+Nibv1h0auGmm6in89ane7DKqcH1e6JxT4sXHO1bQ="}, "inclusionProof": {"logIndex": "34138825", "rootHash": "7Qt+3ioEkHd/WQ+ZF4zkdbZ1JExMNGx/pF6U2cmtM/Q=", "treeSize": "34138826", "hashes": ["460W3n1CZaOKfLd1/YSC0H5L84wbbSFUNol1ZwDndoM=", "y7NhKWl4yggGf0GhUE9xHzlnejEw3Hip+npVOBmV31I=", "dV++dwKBz/zC/+rg8FF5eQt3qeYLLCBeALXUFzUUDvk=", "Fxn6iOFXoaUrdLXwrSYOGfimcHgNjfjb9TnhpIjuaCc=", "BkTein2wmT1o/gL3lyKvg06L/h4CKSyJUadCatxLBTI=", "M1nIbSb6tTZeslPr6Qyo3LT16Jr+lJ+fgJD3il4tqkc=", "dvMxr6G8Mnh7ppC7ZlLdoid1OKb+1L5aNmhT6oEy3og=", "NTLDQYFQUNEJKfKO4iPdERTA3qiw5W+1lj7tBj6ucO0=", "KSSbh1+IusMZKVSTJMSjnahGEacBezafZFvtTDmdcng=", "oj35HyCM3EqQ5Lil2RUr9boiRWZlouxLnqNA7z28Glc=", "vemyaMj0Na1LMjbB/9Dmkq8T+jAb3o+yCESgAayUABU="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n34138826\n7Qt+3ioEkHd/WQ+ZF4zkdbZ1JExMNGx/pF6U2cmtM/Q=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiAk3Vso0Awrs2GLdUg8Ol1Ck4ChMQGcLf/nLMpOmTHQ3AIgIGkpE6mkns2HjIewM4H4D+BPv0UWGBaEYuDx9NXJ5Tg=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI5NDM0OWRmMjA3NDU2YTU3NWE4ODY3YzIwYjRjYTQzNGY4NzBlMTkyMGRjZGNjOGZkZjc5N2UxYWY0OWFiZTkwIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRGRodWh6cmtJOHZrZjVVSlNiOGRIT0w5OEtpWXIvd1NwWjFVK3JNd2tQbEFpQTVCbXZjamNNaTNPMlMyak56bDVzd20zVXpXTysxSGk1VnpqTGM5bVlKcFE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4WFowRjNTVUpCWjBsVlJIVnhPR3Q0ZEhCTU0ySjVNVk53UVU5SlQyVkxTMnh6Y21wWmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJlRTFxUlROTlZGbDNUbnBKTWxkb1kwNU5hbEY0VFdwRk0wMVVXWGhPZWtreVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZpYlUxUVRFWmFVMFJxYldaUFMwcEhiRTkxTmt0eFdHSm1RVkp3ZUdOMWNsWjFaMHdLTVdkUGNGQmphVlppTDJOV2NsQnJPV3hRTjFZMlFqaDZjRzVOU3pWaGVESkRZa2N6YjNSQlpuZGxWSFJFVjNKdWFuRlBRMEZZVVhkblowWjNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZFWTNRM0NraHNNMDE0UVhobVVERmthR2R3UkVZMlVGTnNWWFZOZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVhkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWprS1FraHpRV1ZSUWpOQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnJPVlptZWpkUlFRcEJRVkZFUVVWbmQxSm5TV2hCVEVkQkwwZHJUbTlxUVZCTE5VVlBSSEpXUnpBelVuaFBSWEl2TUdKR2VYWTFkM2g0ZUhnNWIzUlBNRUZwUlVGME9GTkZDbXhuYzJSak4xRlhMM1psZGxsak1HeFJObUZCTVVKdGVFRnpha2MyVHpNek0xQlVlREpvZDNkRFoxbEpTMjlhU1hwcU1FVkJkMDFFV25kQmQxcEJTWGNLWkRoV2NVWXpLMHA0YTJJeFZXNDVNSFpGYzNoYVFVaEZjazV4TkdWa04wSlRkRUpRVkV3cmVqbHVaM2RDY0U1alVqSk9lVk52YUU5YWVHZENXblZRTUFwQmFrRTFhRmgxZHpsWFlsWXhOVVE1Wkc4MGVEUm5VMmxQY0VObE5VRk5jR2R2VlM5c1pEQlpXbVppZDA0d2RpOW9NbkpKUmpZMFEzQXlTakEwVmpGU0NsbHJkejBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "lDSd8gdFaldaiGfCC0ykNPhw4ZINzcyP33l+GvSavpA="}, "signature": "MEQCIDdhuhzrkI8vkf5UJSb8dHOL98KiYr/wSpZ1U+rMwkPlAiA5BmvcjcMi3O2S2jNzl5swm3UzWO+1Hi5VzjLc9mYJpQ=="}}
--- a/Python-3.14.0a4.tar.xz
+++ b/Python-3.14.0a4.tar.xz
--- a/Python-3.14.0a4.tar.xz.sigstore
+++ b/Python-3.14.0a4.tar.xz.sigstore
@@ -0,0 +1 @@
+{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzzCCAlWgAwIBAgIUTNqrmr/M2mihtEwN8O2FyM2q1q4wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwMTE0MTYwMTUwWhcNMjUwMTE0MTYxMTUwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXFyDvDOdj/YAUw6VwCbccPuaGXVlONd/+yU2w6pjOucN7XNrKQzRc2p0B87e6fBJNtrvoQskKm5g5RZRNIaTraOCAXQwggFwMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU+FemmqqSGkLeHpehmVT+O/2VD1MwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABlGWMvxkAAAQDAEgwRgIhAMdC5GErGZYgWadLhCcmCxR3wAZ8jSVhTikA8HyIMUjKAiEAjZQMpnwoXgxNEXGAs8J/Myxxp5Lky719397l9nhdPk8wCgYIKoZIzj0EAwMDaAAwZQIxAMcST1Hx0VxHs8dH4fVNnJHRqHV70g4gWXOUahXOh86pLbvOOsGqM3w8o3kUhjO7oAIwRCZiVhDjDq59iDX6/IO7mG/gwNXBVqKSPdcYRS6l/SxM3JRORz8QCQK3HtM5TPvm"}, "tlogEntries": [{"logIndex": "162324179", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1736870510", "inclusionPromise": {"signedEntryTimestamp": "MEQCIAXgFU1gThdT0mhc6q0AXzD3bBXTiacgiLtvj81gdZF4AiBN9qUrwxowhsD9xRkTFuRk/l7pkEkkF84mJouMltHlqw=="}, "inclusionProof": {"logIndex": "40419917", "rootHash": "sQcmJqkpVAfxguDGAn46H0Jx7wI/seLoX5hw8YAhpzE=", "treeSize": "40419918", "hashes": ["qjl0o9LTqPs1qAydDqJeuEjAe7m0r28edbu6YhwigVs=", "ld8TM/ZFyvOEsuFo6tzdkPMu1WXFFF7FkLeePNxTZgQ=", "msMDMUPWOxenW8+fKcA9KtYwJh+qOm8eJ6hD6qMLxgo=", "HB3n8ruKgQ4/hsnPPqqgZqgqrIY+bil6MZEN48iQf5o=", "s4485wmLHDIJ3Uz0cZtlQJMaGl/NcoVYyRSxf8iaGF0=", "ipeSaii1joKqXMjR8vQt0JqN3F2T64mYFe55cZTSE7k=", "Zh8tfYPsaKKLrwZBF7ddhto+2SATy+XV9dtLPctNAlU=", "GVSyTNVOEKppJTUqz+nM5IM0FJ34fKBEIv5VAyJ7Dv4=", "tlaG/ckV5gypfBxP4OGlhhoLQ/VcEe+s4IdoNM+5CJk=", "LxTVSFPuriQ2RUI8Dbu2hz4wzAG1G271/Jivqrd1etw=", "vemyaMj0Na1LMjbB/9Dmkq8T+jAb3o+yCESgAayUABU="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n40419918\nsQcmJqkpVAfxguDGAn46H0Jx7wI/seLoX5hw8YAhpzE=\n\n\u2014 rekor.sigstore.dev wNI9ajBGAiEAv+PVAciPszI4zlpSunN4bfTvMqVTy5p62XGhyX7jQwACIQCNHJdBqkgiBk7OICiGqlcnklnK9wf4okEYP4iC2UpSUQ==\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjMjRmMDc4ODE4NzNjMWQ0NjAyMjg3OTVjYTZjYThjOTkxMzBlMzBjNzczYzkxNDYzZDMwZDdlYThmZjBlNzBiIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUROejA2OHVmUE1tRUNZL3JldUdNSGRBbUhoazc1MHNaNHdTKytsY1g1Z0xRSWdLdzN1S1oydm9Jd2FMSWk1dFl3d2JBOUZUaFVHK05NUDViYmwyS0xSYXZjPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZla05EUVd4WFowRjNTVUpCWjBsVlZFNXhjbTF5TDAweWJXbG9kRVYzVGpoUE1rWjVUVEp4TVhFMGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDFVUlRCTlZGbDNUVlJWZDFkb1kwNU5hbFYzVFZSRk1FMVVXWGhOVkZWM1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZZUm5sRWRrUlBaR292V1VGVmR6WldkME5pWTJOUWRXRkhXRlpzVDA1a0x5dDVWVElLZHpad2FrOTFZMDQzV0U1eVMxRjZVbU15Y0RCQ09EZGxObVpDU2s1MGNuWnZVWE5yUzIwMVp6VlNXbEpPU1dGVWNtRlBRMEZZVVhkblowWjNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlVyUm1WdENtMXhjVk5IYTB4bFNIQmxhRzFXVkN0UEx6SldSREZOZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVhkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWprS1FraHpRV1ZSUWpOQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnNSMWROZG5oclFRcEJRVkZFUVVWbmQxSm5TV2hCVFdSRE5VZEZja2RhV1dkWFlXUk1hRU5qYlVONFVqTjNRVm80YWxOV2FGUnBhMEU0U0hsSlRWVnFTMEZwUlVGcVdsRk5DbkJ1ZDI5WVozaE9SVmhIUVhNNFNpOU5lWGg0Y0RWTWEzazNNVGt6T1Rkc09XNW9aRkJyT0hkRFoxbEpTMjlhU1hwcU1FVkJkMDFFWVVGQmQxcFJTWGdLUVUxalUxUXhTSGd3Vm5oSWN6aGtTRFJtVms1dVNraFNjVWhXTnpCbk5HZFhXRTlWWVdoWVQyZzRObkJNWW5aUFQzTkhjVTB6ZHpodk0ydFZhR3BQTndwdlFVbDNVa05hYVZab1JHcEVjVFU1YVVSWU5pOUpUemR0Unk5bmQwNVlRbFp4UzFOUVpHTlpVbE0yYkM5VGVFMHpTbEpQVW5vNFVVTlJTek5JZEUwMUNsUlFkbTBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "wk8HiBhzwdRgIoeVymyoyZEw4wx3PJFGPTDX6o/w5ws="}, "signature": "MEUCIQDNz068ufPMmECY/reuGMHdAmHhk750sZ4wS++lcX5gLQIgKw3uKZ2voIwaLIi5tYwwbA9FThUG+NMP5bbl2KLRavc="}}
--- a/python314.changes
+++ b/python314.changes
@@ -1,3 +1,263 @@
+-------------------------------------------------------------------
+Tue Feb  4 14:43:13 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-0938-sq-brackets-domain-names.patch which
+  disallows square brackets ([ and ]) in domain names for parsed
+  URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
+- Add 314a4-no-SO_REUSEPORT.patch to fix build on new kernel
+  (gh#python/cpython#128916).
+
+-------------------------------------------------------------------
+Mon Jan 27 09:16:22 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Configure externally_managed with a bcond
+  https://en.opensuse.org/openSUSE:Python:Externally_managed
+  bsc#1228165
+
+-------------------------------------------------------------------
+Fri Jan 17 21:21:42 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to the fourth development version of 3.14.0:
+  - Tools/Demos
+    - gh-128152: Fix a bug where Argument Clinic’s C
+      pre-processor parser tried to parse pre-processor
+      directives inside C comments. Patch by Erlend Aasland.
+  - Tests
+    - gh-128690: Temporarily do not use test_embed in PGO profile
+      builds until the problem with test_init_pyvenv_cfg failing
+      in some configurations is resolved.
+  - Library
+    - gh-128731: Fix ResourceWarning in
+      urllib.robotparser.RobotFileParser.read().
+    - gh-71339: Add new assertion methods for unittest:
+      assertHasAttr(), assertNotHasAttr(), assertIsSubclass(),
+      assertNotIsSubclass() assertStartsWith(),
+      assertNotStartsWith(), assertEndsWith() and
+      assertNotEndsWith().
+    - gh-118761: Improve import time of pickle by 25% by removing
+      an unnecessary regular expression. As such, re is no more
+      implicitly available as pickle.re. Patch by Bénédikt Tran.
+    - gh-128661: Fixes typing.evaluate_forward_ref() not showing
+      deprecation when type_params arg is not passed.
+    - gh-128562: Fix possible conflicts in generated tkinter
+      widget names if the widget class name ends with a digit.
+    - gh-128559: Improved import time of asyncio.
+    - gh-128552: Fix cyclic garbage introduced
+      by asyncio.loop.create_task() and
+      asyncio.TaskGroup.create_task() holding a reference to the
+      created task if it is eager.
+    - gh-128340: Add internal thread safe handle to be used
+      in asyncio.loop.call_soon_threadsafe() for thread safe
+      cancellation.
+    - gh-128182: Fix crash when using ctypes pointers
+      concurrently on the free threaded build.
+    - gh-128400: Only show the current thread in faulthandler on
+      the free threaded build to prevent races.
+    - gh-128400: Fix crash when using
+      faulthandler.dump_traceback() while other threads are
+      active on the free threaded build.
+    - gh-128388: Fix PyREPL on Windows to support more
+      keybindings, like the Control-← and Control-→ word-skipping
+      keybindings and those with meta (i.e. Alt), e.g. Alt-d to
+      kill-word or Alt-Backspace backward-kill-word.
+    - gh-88834: Unify the instance check for typing.Union and
+      types.UnionType: Union now uses the instance checks against
+      its parameters instead of the subclass checks.
+    - gh-128302: Fix
+      xml.dom.xmlbuilder.DOMEntityResolver.resolveEntity(), which
+      was broken by the Python 3.0 transition.
+    - gh-128317: Highlight today in colour in calendar’s CLI
+      output. Patch by Hugo van Kemenade.
+    - gh-128302: Allow xml.dom.xmlbuilder.DOMParser.parse()
+      to correctly handle xml.dom.xmlbuilder.DOMInputSource
+      instances that only have a systemId attribute set.
+    - gh-128151: Improve generation of UUID objects version 3,
+      4, 5, and 8 via their dedicated functions by 30%. Patch by
+      Bénédikt Tran.
+    - gh-128118: Improve performance of copy.copy() by 30% via a
+      fast path for atomic types and container types.
+    - gh-127946: Fix crash when modifying ctypes._CFuncPtr
+      objects concurrently on the free threaded build.
+    - gh-128062: Revert the font of turtledemo’s menu bar to its
+      default value and display the shortcut keys in the correct
+      position.
+    - gh-128014: Fix resetting the default window icon by passing
+      default='' to the tkinter method wm_iconbitmap().
+    - gh-41872: Fix quick extraction of module docstrings from
+      a file in pydoc. It now supports docstrings with single
+      quotes, escape sequences, raw string literals, and other
+      Python syntax.
+    - gh-127060: Set TERM environment variable to “dumb” to
+      disable traceback colors in IDLE, since IDLE doesn’t
+      understand ANSI escape sequences. Patch by Victor Stinner.
+    - gh-126742: Fix support of localized error messages reported
+      by dlerror(3) and gdbm_strerror in ctypes and dbm.gnu
+      functions respectively. Patch by Bénédikt Tran.
+    - gh-122548: Adds two new local events to sys.monitoring,
+      BRANCH_LEFT and BRANCH_RIGHT. This allows the two arms
+      of the branch to be disabled independently, which should
+      hugely improve performance of branch-level coverage
+      tools. The old branch event, BRANCH is now deprecated.
+    - gh-127847: Fix the position when doing interleaved seeks
+      and reads in uncompressed, unencrypted zip files returned
+      by zipfile.ZipFile.open().
+    - gh-127688: Add the SCHED_DEADLINE and SCHED_NORMAL
+      constants to the os module.
+    - gh-83662: Add missing __class_getitem__ method to the
+      Python implementation of functools.partial(), to make it
+      compatible with the C version. This is mainly relevant for
+      alternative Python implementations like PyPy and GraalPy,
+      because CPython will usually use the C-implementation of
+      that function.
+    - gh-127586: multiprocessing.pool.Pool now properly restores
+      blocked signal handlers of the parent thread when creating
+      processes via either spawn or forkserver.
+    - gh-98188: Fix an issue in
+      email.message.Message.get_payload() where data cannot be
+      decoded if the Content Transfer Encoding mechanism contains
+      trailing whitespaces or additional junk text. Patch by Hui
+      Liu.
+    - gh-127529: Correct behavior of
+      asyncio.selector_events.BaseSelectorEventLoop._accept_connection()
+      in handling ConnectionAbortedError in a loop. This improves
+      performance on OpenBSD.
+    - gh-127360: When a descriptive error message cannot be
+      provided for an ssl.SSLError, the “unknown error” message
+      now shows the internal error code (as retrieved by
+      ERR_get_error and similar OpenSSL functions).
+    - gh-127196: Fix crash when dict with keys in invalid
+      encoding were passed to several functions in _interpreters
+      module.
+    - gh-124130: Fix a bug in matching regular expression \B in
+      empty input string. Now it is always the opposite of \b. To
+      get an old behavior, use (?!\A\Z)\B. To get a new behavior
+      in old Python versions, use (?!\b).
+    - gh-126639: tempfile.NamedTemporaryFile will now issue
+      a ResourceWarning when it is finalized by the garbage
+      collector without being explicitly closed.
+    - gh-126624: Expose error code XML_ERROR_NOT_STARTED of Expat
+      >=2.6.4 in xml.parsers.expat.errors.
+    - gh-126225: getopt and optparse are no longer marked as
+      deprecated. There are legitimate reasons to use one of
+      these modules in preference to argparse, and none of these
+      modules are at risk of being removed from the standard
+      library. Of the three, argparse remains the recommended
+      default choice, unless one of the concerns noted at the top
+      of the optparse module documentation applies.
+    - gh-124761: Add SO_REUSEPORT_LB constant to socket for
+      FreeBSD.
+    - gh-121720: enum.EnumDict can now be used without resorting
+      to private API.
+    - gh-123424: Add zipfile.ZipInfo._for_archive() setting
+      default properties on ZipInfo objects. Patch by Bénédikt
+      Tran and Jason R. Coombs.
+    - gh-121676: Deprecate calling the Python implementation of
+      functools.reduce() with a function or sequence as a keyword
+      argument. This will be forbidden in Python 3.16 in order to
+      match the C implementation.
+    - gh-112015: ctypes.memoryview_at() now exists to create
+      a memoryview object that refers to the supplied pointer
+      and length. This works like ctypes.string_at() except
+      it avoids a buffer copy, and is typically useful when
+      implementing pure Python callback functions that are passed
+      dynamically-sized buffers.
+    - gh-95371: Added support for other image formats (PNG, PGM,
+      and PPM) to the turtle module. Patch by Shin-myoung-serp.
+  - Core and Builtins
+    - gh-128078: Fix a SystemError when using anext() with a
+      default tuple value. Patch by Bénédikt Tran.
+    - gh-128717: Fix a crash when setting the recursion limit
+      while other threads are active on the free threaded build.
+    - gh-124483: Treat Py_DECREF and variants as escaping when
+      generating opcode and uop metadata. This prevents the
+      possibility of a __del__ method causing the JIT to behave
+      incorrectly.
+    - gh-126703: Improve performance of class methods by using a
+      freelist.
+    - gh-128137: Update PyASCIIObject layout to handle interned
+      field with the atomic operation. Patch by Donghee Na.
+    - gh-128192: Upgrade HTTP digest authentication algorithm for
+      urllib.request by supporting SHA-256 digest authentication
+      as specified in RFC 7616.
+    - gh-126868: Increase usage of freelist for int allocation.
+    - gh-114203: Optimize Py_BEGIN_CRITICAL_SECTION for simple
+      recursive calls.
+    - gh-127705: Adds stackref debugging when Py_STACKREF_DEBUG
+      Inis set. Finds all double-closes and leaks, logging the
+      Inorigin and last borrow. spired by HPy’s debug mode.
+      Inhttps://docs.hpyproject.org/en/latest/debug-mode.html
+    - gh-128079: Fix a bug where except* does not properly check
+      the return value of an ExceptionGroup’s split() function,
+      leading to a crash in some cases. Now when split() returns
+      an invalid object, except* raises a TypeError with the
+      original raised ExceptionGroup object chained to it.
+    - gh-128030: Avoid error from calling
+      PyModule_GetFilenameObject on a non-module object when
+      importing a non-existent symbol from a non-module object.
+    - gh-128035: Indicate through ssl.HAS_PHA whether the
+      ssl module supports TLSv1.3 post-handshake client
+      authentication (PHA). Patch by Will Childs-Klein.
+    - gh-127274: Add a new flag, CO_METHOD, to co_flags that
+      indicates whether the code object belongs to a function
+      defined in class scope.
+    - gh-66409: During the path initialization, we now check if
+      base_exec_prefix is the same as base_prefix before falling
+      back to searching the Python interpreter directory.
+    - gh-127970: We now use the location of the libpython
+      runtime library used in the current proccess to determine
+      sys.base_prefix on all platforms implementing the dladdr
+      function defined by the UNIX standard — this includes
+      Linux, Android, macOS, iOS, FreeBSD, etc. This was already
+      the case on Windows and macOS Framework builds.
+    - gh-127773: Do not use the type attribute cache for types
+      with incompatible MRO.
+    - gh-127903: Objects/unicodeobject.c: fix a crash on DEBUG
+      builds in _copy_characters when there is nothing to copy.
+    - gh-127809: Fix an issue where the experimental JIT may
+      infer an incorrect result type for exponentiation (** and
+      **=), leading to bugs or crashes.
+    - gh-126862: Fix a possible overflow when a class inherits
+      from an absurd number of super-classes. Reported by Valery
+      Fedorenko. Patch by Bénédikt Tran.
+  - C API
+    - gh-128400: Py_FatalError() no longer shows all threads on
+      the free threaded build to prevent crashes.
+    - gh-128629: Add macros Py_PACK_VERSION() and
+      Py_PACK_FULL_VERSION() for bit-packing Python version
+      numbers.
+    - gh-128008: Add PyWeakref_IsDead() function, which tests if
+      a weak reference is dead.
+    - gh-127350: Add Py_fopen() function to open a file. Similar
+      to the fopen() function, but the path parameter is a
+      Python object and an exception is set on error. Add also
+      Py_fclose() function to close a file, function needed for
+      Windows support. Patch by Victor Stinner.
+  - Build
+    - gh-128627: For Emscripten builds the function pointer cast
+      call trampoline now uses the wasm-gc ref.test instruction
+      if it’s available instead of Wasm JS type reflection.
+    - gh-128472: Skip BOLT optimization of functions using
+      computed gotos, fixing errors on build with LLVM 19.
+    - gh-115765: GNU Autoconf 2.72 is now required to generate
+      !configure. Patch by Erlend Aasland.
+    - gh-123925: Fix building the curses module on platforms with
+      libncurses but without libncursesw.
+    - gh-90905: Add support for cross-compiling to x86_64 on
+      aarch64/arm64 macOS.
+    - gh-128321: Set LIBS instead of LDFLAGS when checking if
+      sqlite3 library functions are available. This fixes the
+      ordering of linked libraries during checks, which was
+      incorrect when using a statically linked libsqlite3.
+    - gh-100384: Error on unguarded-availability in macOS builds,
+      preventing invalid use of symbols that are not available in
+      older versions of the OS.
+    - gh-128104: Remove Py_STRFTIME_C99_SUPPORT conditions in
+      favor of requiring C99 strftime(3) specifier support at
+      build time. When cross-compiling, there is no build time
+      check and support is assumed.
+    - gh-127951: Add option --pystats to the Windows build to
+      enable performance statistics collection.
+
 -------------------------------------------------------------------
 Wed Dec 18 00:31:42 UTC 2024 - Matej Cepl <mcepl@cepl.eu>

--- a/python314.spec
+++ b/python314.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package python314
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -73,6 +73,14 @@
 %endif
 %endif

+# Only for Tumbleweed
+# https://en.opensuse.org/openSUSE:Python:Externally_managed
+%if 0%{?suse_version} > 1600
+%bcond_without externally_managed
+%else
+%bcond_with externally_managed
+%endif
+
 %define         python_pkg_name python314
 %if %{without GIL}
 %define         python_pkg_name python314-nogil
@@ -149,8 +157,8 @@
 # _md5.cpython-38m-x86_64-linux-gnu.so
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.14.0~a3
-%define         tarversion 3.14.0a3
+Version:        3.14.0~a4
+%define         tarversion 3.14.0a4
 %define         tarname    Python-%{tarversion}
 Release:        0
 Summary:        Python 3 Interpreter
@@ -208,6 +216,12 @@ Patch39:        CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch
 # PATCH-FIX-OPENSUSE fix-test-recursion-limit-15.6.patch gh#python/cpython#115083
 # Skip some failing tests in test_compile for i586 arch in 15.6.
 Patch40:        fix-test-recursion-limit-15.6.patch
+# PATCH-FIX-UPSTREAM CVE-2025-0938-sq-brackets-domain-names.patch bsc#1236705 mcepl@suse.com
+# functions `urllib.parse.urlsplit` and `urlparse` accept domain names including square brackets
+Patch41:        CVE-2025-0938-sq-brackets-domain-names.patch
+# PATCH-FIX-UPSTREAM 314a4-no-SO_REUSEPORT.patch gh#python/cpython#128916 mcepl@suse.com
+# changes in kernel break Python tests
+Patch42:        314a4-no-SO_REUSEPORT.patch
 #### Python 3.14 DEVELOPMENT PATCHES
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
@@ -794,7 +808,7 @@ rm %{buildroot}%{_libdir}/libpython3.so
 rm %{buildroot}%{_libdir}/pkgconfig/{python3,python3-embed}.pc
 %endif

-%if %{suse_version} > 1550
+%if %{with externally_managed}
 # PEP-0668 mark this as a distro maintained python
 sed -e 's,__PYTHONPREFIX__,%{python_pkg_name},' -e 's,__PYTHON__,python%{python_version},' < %{SOURCE4} > %{buildroot}%{sitedir}/EXTERNALLY-MANAGED
 %endif
@@ -996,7 +1010,7 @@ fi
 %{_mandir}/man1/python%{python_version}.1%{?ext_man}
 %endif

-%if %{suse_version} > 1550
+%if %{with externally_managed}
 # PEP-0668
 %{sitedir}/EXTERNALLY-MANAGED
 %endif
				`@@ -1 +0,0 @@`
				{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlWgAwIBAgIUDuq8kxtpL3by1SpAOIOeKKlsrjYwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQxMjE3MTYwNzI2WhcNMjQxMjE3MTYxNzI2WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbmMPLFZSDjmfOKJGlOu6KqXbfARpxcurVugL1gOpPciVb/cVrPk9lP7V6B8zpnMK5ax2CbG3otAfweTtDWrnjqOCAXQwggFwMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUDct7Hl3MxAxfP1dhgpDF6PSlUuMwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABk9Vfz7QAAAQDAEgwRgIhALGA/GkNojAPK5EODrVG03RxOEr/0bFyv5wxxxx9otO0AiEAt8SElgsdc7QW/vevYc0lQ6aA1BmxAsjG6O333PTx2hwwCgYIKoZIzj0EAwMDZwAwZAIwd8VqF3+Jxkb1Un90vEsxZAHErNq4ed7BStBPTL+z9ngwBpNcR2NySohOZxgBZuP0AjA5hXuw9WbV15D9do4x4gSiOpCe5AMpgoU/ld0YZfbwN0v/h2rIF64Cp2J04V1RYkw="}, "tlogEntries": [{"logIndex": "156043087", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1734451646", "inclusionPromise": {"signedEntryTimestamp": "MEUCIQD1bn+1BlbnvdMGTX8cRvOVMdhE9Imcz9FMgKSDo4q3yAIgJT+Nibv1h0auGmm6in89ane7DKqcH1e6JxT4sXHO1bQ="}, "inclusionProof": {"logIndex": "34138825", "rootHash": "7Qt+3ioEkHd/WQ+ZF4zkdbZ1JExMNGx/pF6U2cmtM/Q=", "treeSize": "34138826", "hashes": ["460W3n1CZaOKfLd1/YSC0H5L84wbbSFUNol1ZwDndoM=", "y7NhKWl4yggGf0GhUE9xHzlnejEw3Hip+npVOBmV31I=", "dV++dwKBz/zC/+rg8FF5eQt3qeYLLCBeALXUFzUUDvk=", "Fxn6iOFXoaUrdLXwrSYOGfimcHgNjfjb9TnhpIjuaCc=", "BkTein2wmT1o/gL3lyKvg06L/h4CKSyJUadCatxLBTI=", "M1nIbSb6tTZeslPr6Qyo3LT16Jr+lJ+fgJD3il4tqkc=", "dvMxr6G8Mnh7ppC7ZlLdoid1OKb+1L5aNmhT6oEy3og=", "NTLDQYFQUNEJKfKO4iPdERTA3qiw5W+1lj7tBj6ucO0=", "KSSbh1+IusMZKVSTJMSjnahGEacBezafZFvtTDmdcng=", "oj35HyCM3EqQ5Lil2RUr9boiRWZlouxLnqNA7z28Glc=", "vemyaMj0Na1LMjbB/9Dmkq8T+jAb3o+yCESgAayUABU="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n34138826\n7Qt+3ioEkHd/WQ+ZF4zkdbZ1JExMNGx/pF6U2cmtM/Q=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiAk3Vso0Awrs2GLdUg8Ol1Ck4ChMQGcLf/nLMpOmTHQ3AIgIGkpE6mkns2HjIewM4H4D+BPv0UWGBaEYuDx9NXJ5Tg=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI5NDM0OWRmMjA3NDU2YTU3NWE4ODY3YzIwYjRjYTQzNGY4NzBlMTkyMGRjZGNjOGZkZjc5N2UxYWY0OWFiZTkwIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRGRodWh6cmtJOHZrZjVVSlNiOGRIT0w5OEtpWXIvd1NwWjFVK3JNd2tQbEFpQTVCbXZjamNNaTNPMlMyak56bDVzd20zVXpXTysxSGk1VnpqTGM5bVlKcFE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4WFowRjNTVUpCWjBsVlJIVnhPR3Q0ZEhCTU0ySjVNVk53UVU5SlQyVkxTMnh6Y21wWmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJlRTFxUlROTlZGbDNUbnBKTWxkb1kwNU5hbEY0VFdwRk0wMVVXWGhPZWtreVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZpYlUxUVRFWmFVMFJxYldaUFMwcEhiRTkxTmt0eFdHSm1RVkp3ZUdOMWNsWjFaMHdLTVdkUGNGQmphVlppTDJOV2NsQnJPV3hRTjFZMlFqaDZjRzVOU3pWaGVESkRZa2N6YjNSQlpuZGxWSFJFVjNKdWFuRlBRMEZZVVhkblowWjNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZFWTNRM0NraHNNMDE0UVhobVVERmthR2R3UkVZMlVGTnNWWFZOZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVhkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWprS1FraHpRV1ZSUWpOQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnJPVlptZWpkUlFRcEJRVkZFUVVWbmQxSm5TV2hCVEVkQkwwZHJUbTlxUVZCTE5VVlBSSEpXUnpBelVuaFBSWEl2TUdKR2VYWTFkM2g0ZUhnNWIzUlBNRUZwUlVGME9GTkZDbXhuYzJSak4xRlhMM1psZGxsak1HeFJObUZCTVVKdGVFRnpha2MyVHpNek0xQlVlREpvZDNkRFoxbEpTMjlhU1hwcU1FVkJkMDFFV25kQmQxcEJTWGNLWkRoV2NVWXpLMHA0YTJJeFZXNDVNSFpGYzNoYVFVaEZjazV4TkdWa04wSlRkRUpRVkV3cmVqbHVaM2RDY0U1alVqSk9lVk52YUU5YWVHZENXblZRTUFwQmFrRTFhRmgxZHpsWFlsWXhOVVE1Wkc4MGVEUm5VMmxQY0VObE5VRk5jR2R2VlM5c1pEQlpXbVppZDA0d2RpOW9NbkpKUmpZMFEzQXlTakEwVmpGU0NsbHJkejBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "lDSd8gdFaldaiGfCC0ykNPhw4ZINzcyP33l+GvSavpA="}, "signature": "MEQCIDdhuhzrkI8vkf5UJSb8dHOL98KiYr/wSpZ1U+rMwkPlAiA5BmvcjcMi3O2S2jNzl5swm3UzWO+1Hi5VzjLc9mYJpQ=="}}
				`@@ -0,0 +1 @@`
				{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzzCCAlWgAwIBAgIUTNqrmr/M2mihtEwN8O2FyM2q1q4wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwMTE0MTYwMTUwWhcNMjUwMTE0MTYxMTUwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXFyDvDOdj/YAUw6VwCbccPuaGXVlONd/+yU2w6pjOucN7XNrKQzRc2p0B87e6fBJNtrvoQskKm5g5RZRNIaTraOCAXQwggFwMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU+FemmqqSGkLeHpehmVT+O/2VD1MwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABlGWMvxkAAAQDAEgwRgIhAMdC5GErGZYgWadLhCcmCxR3wAZ8jSVhTikA8HyIMUjKAiEAjZQMpnwoXgxNEXGAs8J/Myxxp5Lky719397l9nhdPk8wCgYIKoZIzj0EAwMDaAAwZQIxAMcST1Hx0VxHs8dH4fVNnJHRqHV70g4gWXOUahXOh86pLbvOOsGqM3w8o3kUhjO7oAIwRCZiVhDjDq59iDX6/IO7mG/gwNXBVqKSPdcYRS6l/SxM3JRORz8QCQK3HtM5TPvm"}, "tlogEntries": [{"logIndex": "162324179", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1736870510", "inclusionPromise": {"signedEntryTimestamp": "MEQCIAXgFU1gThdT0mhc6q0AXzD3bBXTiacgiLtvj81gdZF4AiBN9qUrwxowhsD9xRkTFuRk/l7pkEkkF84mJouMltHlqw=="}, "inclusionProof": {"logIndex": "40419917", "rootHash": "sQcmJqkpVAfxguDGAn46H0Jx7wI/seLoX5hw8YAhpzE=", "treeSize": "40419918", "hashes": ["qjl0o9LTqPs1qAydDqJeuEjAe7m0r28edbu6YhwigVs=", "ld8TM/ZFyvOEsuFo6tzdkPMu1WXFFF7FkLeePNxTZgQ=", "msMDMUPWOxenW8+fKcA9KtYwJh+qOm8eJ6hD6qMLxgo=", "HB3n8ruKgQ4/hsnPPqqgZqgqrIY+bil6MZEN48iQf5o=", "s4485wmLHDIJ3Uz0cZtlQJMaGl/NcoVYyRSxf8iaGF0=", "ipeSaii1joKqXMjR8vQt0JqN3F2T64mYFe55cZTSE7k=", "Zh8tfYPsaKKLrwZBF7ddhto+2SATy+XV9dtLPctNAlU=", "GVSyTNVOEKppJTUqz+nM5IM0FJ34fKBEIv5VAyJ7Dv4=", "tlaG/ckV5gypfBxP4OGlhhoLQ/VcEe+s4IdoNM+5CJk=", "LxTVSFPuriQ2RUI8Dbu2hz4wzAG1G271/Jivqrd1etw=", "vemyaMj0Na1LMjbB/9Dmkq8T+jAb3o+yCESgAayUABU="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n40419918\nsQcmJqkpVAfxguDGAn46H0Jx7wI/seLoX5hw8YAhpzE=\n\n\u2014 rekor.sigstore.dev wNI9ajBGAiEAv+PVAciPszI4zlpSunN4bfTvMqVTy5p62XGhyX7jQwACIQCNHJdBqkgiBk7OICiGqlcnklnK9wf4okEYP4iC2UpSUQ==\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjMjRmMDc4ODE4NzNjMWQ0NjAyMjg3OTVjYTZjYThjOTkxMzBlMzBjNzczYzkxNDYzZDMwZDdlYThmZjBlNzBiIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUROejA2OHVmUE1tRUNZL3JldUdNSGRBbUhoazc1MHNaNHdTKytsY1g1Z0xRSWdLdzN1S1oydm9Jd2FMSWk1dFl3d2JBOUZUaFVHK05NUDViYmwyS0xSYXZjPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZla05EUVd4WFowRjNTVUpCWjBsVlZFNXhjbTF5TDAweWJXbG9kRVYzVGpoUE1rWjVUVEp4TVhFMGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDFVUlRCTlZGbDNUVlJWZDFkb1kwNU5hbFYzVFZSRk1FMVVXWGhOVkZWM1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZZUm5sRWRrUlBaR292V1VGVmR6WldkME5pWTJOUWRXRkhXRlpzVDA1a0x5dDVWVElLZHpad2FrOTFZMDQzV0U1eVMxRjZVbU15Y0RCQ09EZGxObVpDU2s1MGNuWnZVWE5yUzIwMVp6VlNXbEpPU1dGVWNtRlBRMEZZVVhkblowWjNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlVyUm1WdENtMXhjVk5IYTB4bFNIQmxhRzFXVkN0UEx6SldSREZOZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVhkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWprS1FraHpRV1ZSUWpOQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnNSMWROZG5oclFRcEJRVkZFUVVWbmQxSm5TV2hCVFdSRE5VZEZja2RhV1dkWFlXUk1hRU5qYlVONFVqTjNRVm80YWxOV2FGUnBhMEU0U0hsSlRWVnFTMEZwUlVGcVdsRk5DbkJ1ZDI5WVozaE9SVmhIUVhNNFNpOU5lWGg0Y0RWTWEzazNNVGt6T1Rkc09XNW9aRkJyT0hkRFoxbEpTMjlhU1hwcU1FVkJkMDFFWVVGQmQxcFJTWGdLUVUxalUxUXhTSGd3Vm5oSWN6aGtTRFJtVms1dVNraFNjVWhXTnpCbk5HZFhXRTlWWVdoWVQyZzRObkJNWW5aUFQzTkhjVTB6ZHpodk0ydFZhR3BQTndwdlFVbDNVa05hYVZab1JHcEVjVFU1YVVSWU5pOUpUemR0Unk5bmQwNVlRbFp4UzFOUVpHTlpVbE0yYkM5VGVFMHpTbEpQVW5vNFVVTlJTek5JZEUwMUNsUlFkbTBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "wk8HiBhzwdRgIoeVymyoyZEw4wx3PJFGPTDX6o/w5ws="}, "signature": "MEUCIQDNz068ufPMmECY/reuGMHdAmHhk750sZ4wS++lcX5gLQIgKw3uKZ2voIwaLIi5tYwwbA9FThUG+NMP5bbl2KLRavc="}}